Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 346614

Summary: HttpConnection.handle() spins in case of SSL truncation attacks
Product: [RT] Jetty Reporter: Simone Bordet <simone.bordet>
Component: serverAssignee: Simone Bordet <simone.bordet>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: jetty-inbox
Version: 7.4.0   
Target Milestone: 7.2.x   
Hardware: PC   
OS: Linux   
Whiteboard:

Description Simone Bordet CLA 2011-05-20 05:45:38 EDT 
In case of an SSL truncation attack, i.e. when a remote socket sends a TCP FIN before a SSL close alert, Jetty does not detect the situation cleanly, and the selector will continuously dispatch the endpoint (and hence the connection) because we do not close it.

Instead, we should detect the case, and close the endpoint.
Comment 1 Simone Bordet CLA 2011-05-20 09:45:38 EDT 
Fixed. we detect the FIN and act accordingly.